Re: [CSP3] reflected XSS directive

I sent a copy of this to the OWASP projects leaders to fix.

- Jim

On 8/29/22 7:34 AM, Daniel Veditz wrote:
> On Mon, Aug 29, 2022 at 6:57 AM Harel Klopfer 
> <Harel.Klopfer@hot.net.il> wrote:
>
>     I saw at the OWASP the reflected XSS directive for the CSP header
>     (site:
>     https://owasp.org/www-project-secure-headers/#content-security-policy),
>
>
>     but I couldn’t find this directive at your site.
>
>
> The OWASP documentation appears to contain old information from a 
> draft version of the spec. There is no "reflected-xss" directive in 
> CSP. A strict policy already combats reflected and stored XSS and some 
> DOM XSS without a special directive for it. If you wish to use CSP I'd 
> check out more in-depth information about it, but a couple of top-line 
> items
> * if you use 'unsafe-inline' you are not preventing XSS at all
> * if you use 'unsafe-eval' that might allow XSS depending on your 
> site's code
> * using 'strict-dynamic' with nonces or hashes is more secure than a 
> whitelist of domains. Most domains have an abusable script on them 
> somewhere, so the whitelist approach can often be bypassed to achieve 
> XSS in practice.
>
> -Dan Veditz
>

Received on Monday, 29 August 2022 15:26:42 UTC